Podcast Episode

412 – WordPress Security, Vulnerabilities, and Brute Force Attacks


Is there a plugin for that?

With more than 50,000 plugins in the WordPress repository, it’s hard to find the perfect one. Each week, I will highlight an interesting plugin form the repository.

For more great plugins, download my 50 Most Useful Plugins eBook.

Persistent Login is a simple plugin that keeps users logged into your website unless they explicitly choose to log-out.
It requires no set-up, simply install and save your users time by keeping them logged into your website securely as well as avoid the annoyance of forgetting usernames & passwords.

WordPress Security, Vulnerabilities, and Brute Force Attacks

Thank You!

Thank you to those who use my affiliate links. As you know I make a small commission when someone uses my link and I want to say thank you to the following people. For all my recommended resources, go to my Resources Page

Full Transcript

Business Transcription is provided by GMR Transcription.

On today's episode we're going to talk about WordPress security, vulnerabilities, and brute force attacks. Right here on Your Website Engineer podcasts Episode No. 412.

Hello, and welcome to another episode of Your Website Engineer podcast. My name is Dustin Hartzler. I'm excited to be here with you today because we're already taking about security, one of the favorite things in WordPress. Okay, it's maybe not my favorite thing, but I was gonna talk about Gutenberg, we've been running a lot of conversations inside of Automattic about Gutenberg and there's all kinds of threads on wptavern about Gutenberg and I was like, I'm gonna go ahead and test and try to figure out what this looks and what my new processes are gonna be and how are we gonna test Gutenberg and see what it's gonna look like on our new site or our current sites, I guess. It'll make it look like a new site when WordPress 5.0 comes out because of Gutenberg. But I just ran into a bunch of small little things as I was testing and as you remember a few weeks ago I talked about how I changed all of my posts, my podcast episodes to custom post types, and of course that's not enabled by default. For Gutenburg it's just for posts and pages so I had to do some configuration issues and all these little changes led up and I was like, "Oh, I don't have time to do full test and record a show." So, what we're gonna do is we're gonna table that one, we're gonna talk about that one next week hopefully, and we'll go ahead and talk about WordPress security, vulnerabilities, and brute force attacks. But first, I have two announcements and a plug-in that I want to share with you.

The first one is a – this kind of a selfish plug here, when it comes to WordCamp Dayton is happening on March 1st and 2nd in 2019, right here in Dayton, Ohio. And we are looking for people to come and speak and you don't have to be seasoned veteran when it come to WordCamps and if you know something whether that be about even Photoshop or any type of the tools that you may need for designers or developers or store owners, we'd love to hear those types of topics. And so, you're gonna head on over to the show notes or you can go to 2019.Dayton.workcamp.org and you can find out more about how to sign up and how you can get involved with the WordPress space right here in Dayton, Ohio. And I promise, it will be a fun time. I can't promise you that there won't be snow in March, but that's one of the beauties of having a WordCamp when it is snowing. It's a fun activity to do inside and stay warm and you can learn from a bunch of other people and learn yourself. It's gonna be a good time. So, that's happening in about six months or so, but we are looking for speakers through the middle of November before we close that down. So, if you're interested in coming to Dayton, I would definitely like to meet you and that's the announcement on that.

The other announcement that comes via Automattic, I guess, is the service of they used to have called Polldaddy is now rebranded to CrowdSignal.com. And I don't think much has changed other than that. This is something that I actually, I got an email about so it's not that it's a private matter or whatnot, but it is – they've done a whole new website over at CrowdSignal.com and it looks really great and still have a free version, but they also do have pro and corporate users as well. Your website looks gorgeous and its part of the rebranding of Polldaddy changing it over to CrowdSignal.

And then in the 'Is there a plug-in for that?' section, I have one that's called WordPress, a Persistent Login. I don't think I've ever talked about this one before. It's got about 500 active installs. It's a brand-new plug-in. But it basically is a simple plug-in that allows you to keep users logged into your website until they explicitly choose to log out. Requires no set up, you simply install and save your users time by keeping them logged in for your website securely and well as avoid any of those annoying forgetting passwords and user names and whatnot. It basically selects the 'remember me' check box by default and it will allow users to be kept logged in for one year. And every time that a user visits your website, their login is extended to one additional year. So, that's – I mean, it's just a simple, free plug-in. It also has dashboard stats to show you how many users are kept logged in. And you can force out all users with a click of a button if you need to. So, that's a plug-in, it's called A Persistent Login. You can find it in the show notes for Episode No. 412 or you can find it on the WordPress repository as always.

All right, today I wanted to talk, like I said, talk about Gutenberg but I didn't have time to do all that. And I was over on iTheme's website and they have this – they're running a bunch of infographics and they're making some of these really cool infographics that can be embedded on websites and I'll put these ones in the show notes for this episode, so you can see what they are. But they're really cool and they've got some really – it's basically a lot of tips. There's let's see… one, two, three, four, five of them that will go through today. And it basically, we'll break down some different things and then it's got five quick action things or five ways to correct whatever they're talking about. So, I'm gonna dive into these and I just thought it was really great content and it was very succinct and it's something that every once in awhile we need to have reminders about how to keep our WordPress, our website secure. So, let's go ahead and we'll talk about that one first. So, five ways to secure your WordPress website.

The first way is to keep your WordPress software updated. It's just as simple as updating your software can protect you. Don't ignore these WordPress updates, update them and make sure that you're running the latest version of your software. Use strong passwords. That's our Security 101, and No. 2 is just keep using strong passwords. Never re-use passwords and make sure that you aren't using the same passwords on multiple accounts. A passwords manager like One Password or Last Pass does wonders. No. 3 is use two-factor authentication. WordPress two-factor authentication adds an important layer of protection to your WordPress site by requiring a password and a secondary time sensitive code to login. So, you can use two-factor authentication whenever you can. And there is actually a website out there – I'll have to look it up and put it in the show notes – that you can set up two-factor authentication where is has a whole list of all the sites that have two-factor authentication. Also, if you're using 1Password, this is just kind of a side note. If you're using the 1Password software to save all of your passwords, there's actually a section that will now tell you, okay, these services have two-factor authentication enabled, but you don't have them and so, again, I can give you a little checklist of things to do.

Item No. 4 here is run malware scans. And sometimes your servers can get infected with malicious code and you don’t even know it so the advice here is to run a malware scan. These scans can help you ensure that WordPress is safe and secure by alerting you whenever suspicious files are found. This is something like, there's a couple ones out there, Wordfence is a good one, or Sucuri has a good one too that can scan your website and make sure there's no malicious files. And then the last way to ensure your WordPress security, is to back-up your website. Back-ups ensure that if your site is ever compromised you'll be able to get it back. Just make sure that you store the back-up file in a different location then your same server. It doesn’t make a lot of sense to have your server and your back-up on the same place incase somebody wipes out the entire server, now you've lost your back-ups as well. So, those are things in the 101 Security. And then of course, since it is an iThemes things, they do recommend iThemes Security Pro as a way to secure and protect your WordPress site. And the BackupBuddy is the original WordPress back-up plug-in and restore move with WordPress.

So, that is the first infographic. The second one was all about WordPress a login strategy. And this is a security strategy that will include steps to strengthen your WordPress login. And there are five simple rules for better WordPress login securities. So, the first one is, we've talked about it already is use a strong password. An ideal password is at least 12 characters long, it includes a large pool characters including upper case and lower-case letters, numbers, and symbols. We want to use unique passwords for every account. That's the item No. 2. We want to – so, that's pretty much gone without saying, and you know, we've talked that before in the past.

The third one is limit failed login attempts by default. WordPress does limit failed login attempts. So, without the limit, WordPress can be an easy target for brute force attacks. And so, this is something that you can do with their Better WP Security is what it used to be called, it's called iThemes Security now, and that is a good one to just say, oh, if somebody's login in five times and it's incorrect, just block them out completely and then they won't be able to get into the site. You can also limit outside authentication attempts. These are other ways to limit WordPress and it basically says that any type of – any limit the number of user names and password attempts to one for every XML-RPC requests will go a long way in security your website. This can also be a way that you can lock down and say, oh, from any country that is not the United States, lock down and don't let people try to login. You have those options as well. And then two-factor authentication, we talked about that already, and we won't have to go over that again. But it does mention in the iThemes security plug-in, that will allow you to do two-factor authentication, brute force protection, strong password enforcement and more, and you can do all of that with the free version on the WordPress Repository. And then they have a paid version that you can get even more security goodness with their paid premium version.

The No. 3 is the top five WordPress security vulnerabilities. And so, since you're listening to this show, you have a WordPress website or your will have a WordPress website really, really soon, you need to be aware of the potential WordPress security vulnerabilities and so, most of them can be prevented if you follow these a few steps. So, the first one is if you're hosting on a poor host, and that's not to say the cheap hosts that are out there, but it is a maybe a host that isn't up on WordPress, maybe they have no idea how to properly install and have WordPress secure on your website. One of the best recommendations is to go to a host that specializes in WordPress whether that be shared hosting or a VPS type service, either of those do a fantastic job of helping you stay secure and helping make it harder for people to login and just have some sort of attack on your server. The second place where vulnerabilities happen is with your WordPress login. So, the WordPress login is the most commonly attacked of vulnerability because it provides a door to get into the WordPress site. The third security vulnerability is outdated software. We talked about this as well. When your WordPress site is running outdated versions of plug-ins, themed or WordPress, you can run a risk of having these known exploits on your site. Updates aren't just for new features or bug fixes; they're also including important security patches for those known exploits.

PHP exploits is No. 4. This is another common method used by hackers to gain access to your WordPress site so, it's crucial to make sure that you're running the latest version there. And latest is kind of – it really depends and so some hosting servers, the latest will be 7.2, but some will only go up to 7.0 depending on the host and their comfortability level of their technology. So, you want to make sure that you are using the latest version in PHP. And then the fifth security vulnerability is installing software from untrusted sources. And so, only install software that you get from WordPress.org or well-known commercial repositories, or directly from reputable developers. And you want to make sure that you aren't getting any of the commercial plug-ins downloaded free. You don't want to use those because those could contain malicious code. So, you want to make sure that that's happening as well, you're not Googling 'free version' of WooCommerce bookings and then finding somebody who has a free unlicensed version because not only could the code not be – the code could be outdated, but it also could have malicious intent and malicious code running in the background that can help that person who's distributing that free version. So, you want to make sure that you're never using that.

And then a bonus tip here is running SSLs or running non-SSL sites by adding an SSL certificate to your website ensures that only intended recipients can view sensitive information like login credentials, form submissions, and even billing information. And so, you want to make sure that you are using a SSL certificate to make sure that you do not have that security vulnerability on your website. So, that's the third one, talking about security and vulnerabilities. The fourth one is the '5 Common WordPress Security Issues'. So, these are five things that happen when it comes to somebody getting into your WordPress site. And so, security vulnerabilities extend beyond WordPress core into themes and plug-ins and according to a recent report by wpscan.org, of the 3,972 known WordPress security vulnerabilities, 11 percent of them are from themes, 37 are from core WordPress, and 52 percent are from plug-ins. So, these security issues can happen from all three of those places: core WordPress, themes, and plug-ins.

Let's talk about the five security issues that we need to be aware of. The first one is brute force attacks, and we'll talk about that one a little more in the next segment. But this is WordPress brute force attacks are referring to the trial and error method of entering multiple user names and password combinations, over and over until a successful combination is discovered. It exploits the simplest way to access your website, through the WordPress login screen. So, that is one way that people can get in. Another way is file inclusion exploits. What this means is when a vulnerable code is used to load remote files that allow your attackers to gain access to your website. So, file inclusion exploits are one of the most common ways an attacker can gain access to maybe a file like wp-config. And that's the most important file in your WordPress installation because inside the wp-config file, that showcases and highlights the username and password of your server, and it tells the prefix of your database tables, and it just basically gives a hacker the keys to your website and they can get right in.

The next one we want to make sure that we're staying clear of is SQL injections. So, your WordPress website uses MySQL as a database to operate. SQL injections occur when an attacker gains access to your database and all of your website data as well. SQL injections can also be used to insert new data into your database including malicious or spam websites. This has happened to me in the past before and it is super annoying when it happens. They can inject code into your template files or into your plug-in files, which is annoying, but when they inject SQL commands and then they can get in an they can run where they can run commands to delete your entire database or they can add rows and rows, and rows of spam links everywhere and it's just super, super, super annoying. So, you want to make sure that you're aware of that. 7

Another one is cross-site scripting. This is a vulnerability that is most commonly found in WordPress plug-ins. The basic mechanism of a cross-sight scripting works like this, an attacker finds a way to get a victim to load webpages within insecure java script. So, it's something that can happen, it's something that I haven't seen a whole lot take place in the WordPress space, but it is something that's possible. And then the fifth reason is malware. Malware is… it's just short for malicious software. It's code that is used to gain unauthorized access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected over your website's files and again, this one has happened to me before as well. It's super annoying to go in and try to clean up all of those files so that I didn't have malware over again. That's one good point is to have a good back-up and then I could've just rolled back to a version of my website that didn't have that. I don't know if I had a good website or if I'd discovered it or it wasn't an important site. I forget what the reasons were that some of the sites that I had malware. It's just super annoying to try to roll back and get a good version of a website.

And then, the last infographic they have here is a guide to brute force attacks, and I thought this was really important to talk about as well as we're talking about these security things. And a brute force attack refers to a trial and error method used by hackers and bots to discover username and password combinations in order to gain entry into a website. So, an attacker will systematically check unlimited passwords until the correct one is found. Depending on your server settings, an attacker can go through about 1,000 different password variations per minute. So, it's basically, it's not somebody sitting in front of the computer just trying password after password. It is a computer checking one password after another. And like I said, it can go through 1,000 different password variations per minute. So, if you have a weak password, you should welcome – you're welcoming brute force attacks, you should change your password as soon as possible.

The top passwords for 2017, some of these are kind of fun, so I'll read these 12. The first one is 1 – 2 – 3 – 4 – 5 – 6, password, 1 – 2 – 3 – 4 – 5 – 6 – 7 – 8, querty, 1 – 2 – 3 – 4 – 5, 1 – 2 – 3 – 4 – 5 – 6 – 7 – 8 – 9, letmein, 1 – 2 – 3 – 4 – 5 – 6 – 7, football, iloveyou, admin, and welcome. And 10 percent of people have used at least one of these 25 worst passwords. And so, it's crazy the passwords that you can see, 1, 2, 3, 4, 5 of them had the combination 1 – 2 – 3 – 4 – 5 or additional numbers. And so, if you have any passwords like that, make sure that you are changing those. Put that on your to-do list to do this week. Five ways to prevent brute force attacks is use strong, complex passwords. Don't reuse passwords. Don't use admin as your user name. Limit failed login attempts and add two-factor authentication to your WordPress site.

And we talked about all of these things earlier within the other infographics but just as a reminder: use strong passwords, don't re-use passwords, don't use 'admin' as your username – because if you use 'admin' that's like one of the first things that a hacker will check and then if they get admin, now they have one of the two pieces already then they just have to check a bunch of passwords until they figure out what your password is – limit failed login attempts and add two-factor authentication. And there is the iThemes Security Plug-in that can help you with all of those things as well. And that's what I wanted to share with you today, just kind of a snippet of things that we need to remember. It's been awhile since we've talked about WordPress security, but it should be at the forefront of our minds all the time. We shouldn't ever give out our password for our account. If somebody needs access to our website, maybe you're talking with a support person or whatnot, create a brand-new account for them so they can login and do their thing and then as soon as they're done – as soon as that interaction is over then you can remove that account. That just makes it kind of a clean break and just make sure that you're never giving other people – maybe they're contributors to your website, only give them the access they need, don't give everybody admin rights because then they can go in and mess up a lot of things, but just give them the editor permission or the reader position or subscriber or whatever level of permission that they need.

So, that is your security update for October 2018. Next week and over the course of this next week I'll be taking some time to go through Gutenberg. I'm kind of look at it with a fine-toothed comb, see what it's gonna do to my posts and my pages, and kind of get ready for it. As we talked now, the soft launch date, or the target launch that we're talking about is November 15th or November 19th, one of those two days. So, that's coming up in less than a month. We're talking about three weeks or so and that will be part of WordPress 5.0 that will roll out in the masses. So, we want to be ready for that. We want to get prepared and so we are ready, and we don't get panicked when that happens and when it rolls out.

And then lastly, right before I go, I want to say thank you to Murph Lloyd, 73, from the U.K. posts a iTunes review and this one says, "Too many podcasts of this type wastes much of your time that I don't have with pointless, irritating, irrelevant chit chat. I like this one because Dustin gets straight to the point sharing very useful in a very accessible way without the time-wasting rubbish found in other podcasts." Thank you so much for that review. I love the fact that they used 'rubbish' in there. That is a completely from the U.K. and I appreciate that and I do my best to try to keep these short, succinct, and get you on your way so you don't have to waste a lot of time listening to banter about different things and conversations about things that may or may not happen in the WordPress space. But this is very a timely manner and we want to make sure that a few times a year we are thinking about our security and we are looking through and making sure that we are doing the best to keep our WordPress site secure.

That's what I want to share with you this week. Take care and we'll talk again soon. Bye-bye.